Companies House Security Catastrophe

 

Companies House Security Catastrophe: Five Months of Open Season on Every UK Company's Data – Proof the State Can't Be Trusted with a Spreadsheet, Let Alone Our Privacy
Posted by Ken Frost – The Loanbuster – 16 March 2026

Blimey, if this doesn't make your blood boil, nothing will!

Companies House – the government's own corporate register, the supposed guardian of company integrity – has just admitted what any half-decent hacker already knew: for five bloody months, every single one of the five million+ registered UK companies was wide open to a laughably simple exploit. Anyone in the world – from a bedroom script-kiddie in Belarus to a fraud gang in Nigeria – could log in, view private dashboards, see directors' home addresses, email addresses, dates of birth, and – get this – actually change company details, file fake accounts, or hijack the lot.

The bug? Press the back button on the dashboard. That's it. No fancy zero-day, no SQL injection masterclass – just the browser's back button breaking their entire authentication system. Discovered and exposed on Friday by sharp-eyed researchers (shout-out to Dan Neidle and co for blowing the whistle), Companies House finally suspended WebFiling and issued the grovelling statement: "We identified the issue... we're investigating... sorry for any inconvenience."

Inconvenience? This is a full-blown national security and fraud tsunami!

For five months – that's 150 days of vulnerability – crooks could've:

• Swapped director details to enable identity theft on an industrial scale
• Filed bogus accounts to launder money or hide dodgy dealings
• Changed company names/addresses to front shell companies for scams
• Exposed home addresses and personal emails of millions of directors, leaving families open to stalking, burglary, or doxxing

And the government's response? "Quickly resolved." Yeah, after it was public. How many frauds were committed in those five months? How many fake filings went through? They'll never tell us the full truth – because admitting the scale would be career-ending for the mandarins in charge.

This isn't a one-off glitch; it's systemic incompetence from a state organ that's meant to protect us. Companies House holds our most sensitive business data – the backbone of UK commerce – yet they couldn't secure it against something toddlers discover in browser dev tools. While banks get fined millions for far lesser breaches, this lot gets a polite slap on the wrist and a "lessons learned" memo.

The bigger picture? Governments and their quangos cannot be trusted with our data. Full stop.

• They collect it compulsorily (you have no choice but to file with them).
• They promise ironclad security (laughable).
• When they cock it up spectacularly, the fallout lands on us – higher fraud risk, identity theft nightmares, potential business ruin – while they hide behind "ongoing investigations" and taxpayer-funded lawyers.

Remember the DVLA leaks? HMRC blunders? NHS data disasters? Same story every time: over-centralised, under-secured, and zero real accountability. The state hoards our info like a dragon on gold, then leaves the cave door wide open.

Directors: check your company details NOW. Monitor for weird filings. Consider a service address instead of home ones going forward. And for God's sake, stop believing the mantra that "government knows best" on data protection.

This fiasco proves the opposite: the state is the biggest risk to our privacy and security. Time to shrink their data empire, enforce real penalties for their screw-ups, and let private alternatives handle what the bureaucrats clearly can't.

Resignations at the top? Fat chance. But trust in the system? That's already evaporated.

Stay vigilant, folks. Your data's only as safe as the weakest link – and right now, that's Whitehall.

Amazon Suggested Reads – Guard Your Data from State Blunders

• “Big Brother's Data Disaster” – why government can't secure a thing
• “Identity Theft Survival Guide” – protect yourself post-breach
• “The Privacy Purge” – fighting back against centralised data grabs

Ken Frost
Professional Cynic, Chartered Accountant and relentless Loanbuster
www.kenfrost.net – exposing state incompetence since 2005